IPv6 Attack
Introduction
Most of the time IPv4 is utilized in a Windows environment instead of IPv6. You may encounter networks that don’t utilize IPv6, and no one is serving IPv6 DNS. A threat actor can take advantage of this and spoof/create a IPv6 DNS server on the network.
The threat actor will let everyone know that it is the IPv6 DNS server and all IPv6 traffic should go to that server, this will result in where the threat actor can capture Authentication packets from users. These packets come in a form of NTLM packets which can then be used by the attacker to relay those messages in order to authenticate to the Domain Controller (DC).
The attacker can use mitm6 and ntlmrelayx.py to authenticate to the DC and potentially gather information and create new accounts that can be used to attack the network.
IPv6 DNS Takeover via MITM6
Note that you can only run mitm6 in small sprints, about 5-10 minutes at a time. Do NOT run mitm6 and leave it, this can and will cause outages in a network.
Steps
Start ntlmrelayx.py.
Start mitm6.
Wait for an event to occur.
Wait for the programs to complete the exploit.
Review the dumped domain information.
Install mitm6
ntlmrelayx.py
Syntax: ntlmrelayx.py -6 -t ldaps://[DC IP] -wh [Any Domain] -l [Dumps Folder]
Note for the domain part, you must still use the windows domain of your target network, you just need to add any subdomain you want.
mitm6
Syntax: sudo mitm6 -d [domain]
After running ntlmrelayx.py and mitm6, wait for an event to occur, this can be a person restarting the machine or a user logging in. Once an event has triggered both programs will automatically run the exploits and dump information.
ntlmrelayx.py Attack
It was able to gather domain information from the target machine and was also able to create an Enterprise admin account.
mitm6 Attack
Domain Information Dump
The following screenshots shows the files that were created containing the domain's information.
Last updated
